Skip to content
This repository has been archived by the owner on May 30, 2020. It is now read-only.
/ ansible-role-os-hardening-restricted-shell Public archive

Adds the ability to enforce the use of a restricted shell for local accounts

0 stars 0 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

dawud/ansible-role-os-hardening-restricted-shell

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

1 Commit
defaults
defaults
 
 
files
files
 
 
filter_plugins
filter_plugins
 
 
meta
meta
 
 
molecule/default
molecule/default
 
 
tasks
tasks
 
 
templates
templates
 
 
vars
vars
 
 
.gitignore
.gitignore
 
 
README.md
README.md
 
 

Repository files navigation

Restricted shell

Adds the ability to enforce the use of a restricted shell for local accounts.

To find more about the motivation behind restricted shells and potential pitfalls:

Requirements

None. The required packages are managed by the role.

Role Variables

  • From defaults/main.yml
# Restricted shell
# Activate/deactivate restricted shell.
security_rhel7_rbash_enabled: 'True'
# SELinux booleans required to prevent user_t and staff_t types from executing
# content in their homes, for the purposes of protecting the restricted shell.
security_rhel7_rbash_sebooleans:
  - name: user_exec_content
    enabled: 'True'
  - name: staff_exec_content
    enabled: 'True'
# TODO: document
# FIXME: enforce only 'present' links
security_rhel7_rbash_binaries:
  - name: clear
    state: 'present'
  - name: sudo
    state: 'present'
  - name: sudoedit
    state: 'present'
  - name: rvim
    state: 'absent'
  - name: rview
    state: 'present'
  - name: less
    state: 'present'
  - name: passwd
    state: 'present'
  - name: awk
    state: 'absent'
  - name: elinks
    state: 'absent'
  - name: scp
    state: 'absent'
  - name: ftp
    state: 'absent'
  - name: python
    state: 'absent'
  - name: perl
    state: 'absent'
#TODO: add more commands with evident shell escapes
# ftp, gdb, more, less (but see LESSSECURE), man, rvim, scp, find
# any scripting language: ruby, perl, python, lua, awk, ...
# Provide the restricted shell with all the coreutils
security_rhel7_rbash_coreutils: 'False'
# Minimum UID numeric value to apply security constraints to. By default,
# all non system accounts.
security_rhel7_min_uid: 1000
  • From vars/main.yml
---
# TODO: document security implications
rbash_custom_binaries: {}

Dependencies

This role depends on ansible-os-hardening-selinux for a more effective confinement of unprivileged users. Read why.

Example Playbook

Example of how to use this role:

    - hosts: servers
      roles:
         - { role: ansible-os-hardening-selinux }
         - { role: ansible-os-hardening-restricted-shell }

Contributing

This repository uses git-flow. To contribute to the role, create a new feature branch (feature/foo_bar_baz), write Molecule tests for the new functionality and submit a pull request targeting the develop branch.

Happy hacking!

License

GPLv3

Author Information

David Sastre

About

Adds the ability to enforce the use of a restricted shell for local accounts

Topics

security ansible ansible-role restricted-shell

Resources

Readme
Activity

Stars

0 stars

Watchers

2 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages